859 matches found
EUVD-2026-24680
The mCatFilter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 0.5.2. This is due to the complete absence of nonce verification and capability checks in the computepost function, which processes settings updates. The computepost function is...
CVE-2026-1930
The WordPress Emailchef plugin (versions up to 3.5.1) is vulnerable due to a missing capability check in page_options_ajax_disconnect(). This allows authenticated attackers with Subscriber-level access and higher to delete the plugin’s settings via the emailchef_disconnect AJAX action, exposing d...
CVE-2026-4131
The WP Responsive Popup + Optin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.4. This is due to the settings form on the admin page wpoadminpage.php lacking nonce generation wpnoncefield and verification wpverifynonce/checkadminreferer. Thi...
CVE-2026-4118
The Call To Action Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.3. This is due to missing nonce validation in the cboxoptionspage function which handles saving, creating, and deleting plugin settings. The form rendered on the...
CVE-2026-4139
The CVE-2026-4139 case concerns the WordPress mCatFilter plugin (versions
CVE-2026-4118
The Call To Action Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.3. This is due to missing nonce validation in the cboxoptionspage function which handles saving, creating, and deleting plugin settings. The form rendered on the...
CVE-2026-6041 Buzz Comments <= 0.9.4 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Custom Buzz Avatar' Setting
The Buzz Comments plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Custom Buzz Avatar' buzzcommentsavatarimage setting in all versions up to, and including, 0.9.4. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticate...
WordPress plugin Call To Action Plugin 跨站请求伪造漏洞
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...
WordPress plugin Emailchef 安全漏洞
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...
WordPress plugin WP Responsive Popup + Optin 跨站请求伪造漏洞
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...
CVE-2026-6703
The Responsive Blocks – Page Builder for Blocks & Patterns plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 2.2.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticat...
WordPress Livemesh Addons by Elementor plugin <= 9.0 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting via Plugin Settings vulnerability
Missing Authorization to Authenticated Subscriber+ Stored Cross-Site Scripting via Plugin Settings vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Livemesh Addons for Elementor versions = 9.0...
CVE-2026-1572
CVE-2026-1572 affects Livemesh Addons for Elementor (WordPress). All versions up to 9.0 are vulnerable due to missing authorization checks on AJAX handler lae_admin_ajax() and insufficient output escaping across multiple checkbox settings fields. This enables authenticated users with Subscriber-l...
WordPress WholeSale Products Dynamic Pricing Management WooCommerce plugin <= 1.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings vulnerability
Authenticated Administrator+ Stored Cross-Site Scripting via Plugin Settings vulnerability discovered by Muhammad Nur Ibnu Hubab Ibnu - Pondok Teknologi in WordPress Plugin WholeSale Products Dynamic Pricing Management WooCommerce versions = 1.2...
CVE-2026-4479 WholeSale Products Dynamic Pricing Management WooCommerce <= 1.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings
The WholeSale Products Dynamic Pricing Management WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...
WordPress Aruba HiSpeed Cache plugin <= 3.0.4 - Cross-Site Request Forgery to Plugin Settings Reset vulnerability
Cross-Site Request Forgery to Plugin Settings Reset vulnerability discovered by Legion Hunter in WordPress Plugin Aruba HiSpeed Cache versions = 3.0.4...
CVE-2026-3574 Experto Dashboard for WooCommerce <= 1.0.4 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Navigation Font Size' Setting
The Experto Dashboard for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's settings fields including 'Navigation Font Size', 'Navigation Font Weight', 'Heading Font Size', 'Heading Font Weight', 'Text Font Size', and 'Text Font Weight' in all versions...
CVE-2026-3646
The CVE concerns the WordPress plugin LTL Freight Quotes – R+L Carriers Edition (versions up to and including 3.3.13). A standalone PHP webhook handler processes GET parameters without proper authentication, authorization, or nonce verification, allowing unauthenticated attackers to modify subscr...
CVE-2026-34394
WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's admin plugin configuration endpoint admin/save.json.php lacks any CSRF token validation. There is no call to isGlobalTokenValid or verifyToken before processing the request. Combined with the application's explicit...
CVE-2026-3191
The Minify HTML plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.12. This is due to missing or incorrect nonce validation on the 'minifyhtmlmenuoptions' function. This makes it possible for unauthenticated attackers to update plugin settin...